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Foreword 

This Occupational Health and Safety Assessment Series (OHSAS) guideline, and OHSAS 18001:1999, 
Occupational health and safety management systems — Specification, have been developed in response 
to urgent customer demand for a recognizable occupational health and safety management system 
standard against which their management systems can be assessed and certified, and for guidance on 
the implementation of such a standard. 

OHSAS 18001 is compatible with the ISO 9001:1994 (Quality systems) and ISO 14001:1996 
(Environmental management systems) standards, in order to facilitate the integration of quality, 
environmental and occupational health and safety management systems by organizations, should they 
wish to do so. 

OHSAS 18002 quotes the specific requirements from OHSAS 18001 and follows with relevant guidance. 
The clause numbering of OHSAS 18002 is aligned with that of OHSAS 18001. 

OHSAS 18002 will be reviewed or amended when considered appropriate. Reviews will be conducted 
when new editions of OHSAS 18001 are published (expected when revised editions of either ISO 9001 or 
ISO 14001 are published). 

OHSAS 18001 and OHSAS 18002 will be withdrawn on publication of their contents in, or as, 
international standards. 

The following documents were referenced during the development of this OHSAS guideline: 

BS 8800:1996, Guide to occupational health and safety management systems. 

Technical Report NPR 5001: 1997, Guide to an occupational health and safety management system. 

SGS & ISMOL ISA 2000:1997, Requirements for Safety and Health Management Systems. 

BVQI SafetyCert: Occupational Safety and Health Management Standard. 

DNV Standard for Certification of Occupational Health and Safety Management Systems 
(OHSMS):1997 

LRQA SMS 8800:1998, Health & Safety management systems assessment criteria. 

Draft NSAI SR 320, Recommendation for an Occupational Health and Safety (OH and S) Management 
System. 

Draft AS/NZ 4801, Occupational health and safety management systems - Specification with guidance 
for use. 

Draft BSI PAS 088, Occupational health and safety management systems. 

UNE 81900 series of pre-standards on the prevention of occupational risks. 

OHSAS 18002 will supersede some of these referenced documents. 

OHSAS 18001 maintains a high level of compatibility with, and technical equivalence to UNE 81900. 

For the United Kingdom: 

— BSI-OHSAS 18002 is not a British Standard; 

— BSI-OHSAS 18002 will be withdrawn on publication of its content in, or as, a British 
Standard; 

— BSI-OHSAS is published by BSI which retains its ownership and copyright. 


The development process used for OHSAS 18002 is open to other sponsors wishing to produce similar 
types of documents in association with BSI, provided that those sponsors are willing to comply with BSI’s 
conditions for such documents. 

This publication does not purport to include all necessary provisions of a contract. Users are responsible 
for its correct application. 

Compliance with this Occupational Health and Safety Assessment Series publication does 
not of itself confer immunity from legal obligations. 
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1 Scope 

This Occupational Health and Safety Assessment Series (OHSAS) guideline provides generic advice on 
the application of OHSAS 18001. 

It explains the underlying principles of OHSAS 18001 and describes the intent, typical inputs, processes 
and typical outputs, against each requirement of OHSAS 18001. This is to aid the understanding and 
implementation of OHSAS 18001. 

OHSAS 18002 does not create additional requirements to those specified in OHSAS 18001 nor does it 
prescribe mandatory approaches to the implementation of OHSAS 18001. 

This OHSAS guideline is applicable to occupational health and safety (OH&S) rather than product 
and services safety. 


OHSAS 18001 
1 Scope 

This Occupational Health and Safety Assessment Series (OHSAS) specification gives 
requirements for an occupational health and safety (OH&S) management system, to enable an 
organization to control its OH&S risks and improve its performance. It does not state specific 
OH&S performance criteria, nor does it give detailed specifications for the design of a 
management system. 

This OHSAS specification is applicable to any organization that wishes to: 

a) establish an OH&S management system to eliminate or minimize risk to employees 
and other interested parties who may be exposed to OH&S risks associated with its 
activities; 

b) implement, maintain and continually improve an OH&S management system; 

c) assure itself of its conformance with its stated OH&S policy; 

d) demonstrate such conformance to others; 

e) seek certification/registration of its OH&S management system by an external 
organization; or 

f) make a self-determination and declaration of conformance with this OHSAS 
specification. 

All the requirements in this OHSAS specification are intended to be incorporated into any 
OH&S management system. The extent of the application will depend on such factors as the 
OH&S policy of the organization, the nature of its activities and the risks and complexity of its 
operations. 

This OHSAS specification is intended to address occupational health and safety rather than 
product and services safety. 


2 Reference publications 

Other publications that provide information or guidance are listed in the Bibliography. It is advisable 
that the latest editions of such publications be consulted. Specifically, reference should be made to the 
following publications: 

OHSAS 18001:1999, Occupational health and safety management systems — Specification. 
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BS 8800:1996, Guide to occupational health and safety management systems. 

ISO 10011-1:1990, Guidelines for auditing quality systems — Part 1: Auditing. 

ISO 10011-2:1991, Guidelines for auditing quality systems — Part 2: Qualification criteria for 
quality systems auditors. 

ISO 10011-3:1991, Guidelines for auditing quality systems — Part 3: Management of audit 
programmes. 

ISO 14010:1996, Guidelines for environmental auditing — General principles. 

ISO 14011:1996, Guidelines for environmental auditing — Audit procedures — Auditing of 
environmental management systems. 

ISO 14012:1996, Guidelines for environmental auditing — Qualification criteria for environmental 
auditors. 


3 Terms and definitions 

For the purposes of this OHSAS guideline, the terms and definitions given in OHSAS 18001 apply. 

OHSAS 18001 Terms and definitions 

3.1 

accident 

undesired event giving rise to death, ill health, injury, damage or other loss 

3.2 

audit 

systematic examination to determine whether activities and related results conform to 
planned arrangements and whether these arrangements are implemented effectively and are 
suitable for achieving the organization’s policy and objectives (see 3.9) 

3.3 

continual improvement 

process of enhancing the OH&S management system, to achieve improvements in overall 
occupational health and safety performances, in line with the organization’s OH&S policy 

NOTE The process need not take place in all areas of activity simultaneously. 

3.4 

hazard 

source or situation with a potential for harm in terms of human injury or ill health, damage to 
property, damage to the workplace environment, or a combination of these 

3.5 

hazard identification 

process of recognizing that a hazard (see 3.4) exists and defining its characteristics 

3.6 

incident 

event that gave rise to an accident or had the potential to lead to an accident 

NOTE An incident where no ill health, injury, damage, or other loss occurs is also referred to as a “near-miss”. The 
term “incident” includes “near-misses”. 

3.7 

interested parties 

individual or group concerned with or affected by the OH&S performance of an organization 
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3.8 

non-conformance 

any deviation from work standards, practices, procedures, regulations, management system 
performance etc. that could either directly or indirectly lead to injury or illness, property 
damage, damage to the workplace environment, or a combination of these 

3.9 

objectives 

goals, in terms of OH&S performance, that an organization sets itself to achieve 
NOTE Objectives should be quantified wherever practicable. 

3.10 

occupational health and safety 

conditions and factors that affect the well-being of employees, temporary workers, contractor 
personnel, visitors and any other person in the workplace 

3.11 

OH&S management system 

part of the overall management system that facilitates the management of the OH&S risks 
associated with the business of the organization. This includes the organizational structure, 
planning activities, responsibilities, practices, procedures, processes and resources for 
developing, implementing, achieving, reviewing and maintaining the organization’s OH&S 
policy 

3.12 

organization 

company, operation, firm, enterprise, institution or association, or part thereof, whether 
incorporated or not, public or private, that has its own functions and administration 

NOTE For organizations with more than one operating unit, a single operating unit may be defined as an 
organization. 

3.13 

performance 

measurable results of the OH&S management system, related to the organization’s control of 
health and safety risks, based on its OH&S policy and objectives 

NOTE Performance measurement includes measurement of OH&S management activities and 
results. 

3.14 
risk 

combination of the likelihood and consequence(s) of a specified hazardous event occurring 

3.15 

risk assessment 

overall process of estimating the magnitude of risk and deciding whether or not the risk is 
tolerable 

3.16 
safety 

freedom from unacceptable risk of harm [ISO/IEC Guide 2] 
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3.17 

tolerable risk 

risk that has been reduced to a level that can be endured by the organization having regard to 
its legal obligations and its own OH&S policy _ 

NOTE 1 Some reference documents, including BS 8800, use the term "risk assessment" to encompass the entire process of 
hazard identification, determination of risk, and the selection of appropriate risk reduction or risk control measures. 
OHSAS 18001 and OHSAS 18002 refer to the individual elements of this process separately and use the term "risk 
assessment" to refer to the second of its steps, namely the determination of risk. 


NOTE 2 "Establishment" implies a level of permanency and the system should not be considered established until all its 
elements have been demonstrably implemented. "Maintenance" implies that, once established, the system continues to 
operate. This requires active effort on the part of the organization. Many systems start well but deteriorate due to lack of 
maintenance. Many of the elements of OHSAS 18001 (such as checking and corrective action and management review) are 
designed to ensure active maintenance of the system. 


4 OH&S management system elements 
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4.1 General requirements 

a) OHSAS 18001 requirement 


The organization shall establish and maintain an OH&S management system, the 
requirements for which are set out in clause 4. 


b)Intent 

The organization should establish and maintain a management system that conforms to all of the 
requirements of OHSAS 18001:1999. This should also assist the organization in meeting 
applicable legal or other OH&S regulations. 

The level of detail and complexity of the OH&S management system, the extent of documentation 
and the resources devoted to it are dependent on the size of an organization and the nature of its 
activities. 

An organization has the freedom and flexibility to define its boundaries and may choose to 
implement OHSAS 18001 with respect to the entire organization, or to specific operating units or 
activities of the organization. 

Caution should be taken in defining the boundaries and scope of the management system. 
Organizations should not attempt to limit their scope so as to exclude from assessment, an 
operation or activity required for the overall operation of the organization, or that can impact on 
the OH&S of its employees and other interested parties. 

If OHSAS 18001 is implemented for a specific operating unit or activity, the OH&S policies and 
procedures developed by other parts of the organization may be able to be used by the specific 
operating unit or activity to assist in meeting the requirements of OHSAS 18001. This may require 
that these OH&S policies or procedures are subject to minor revision or amendment, to ensure 
that they are applicable to the specific operation unit or activity. 


c) Typical input 

All the input requirements for implementing OHSAS 18001 are described in the specification. 

d) Typical output 

A typical output is an effectively implemented and maintained OH&S management system that 
assists the organization in continually seeking for improvements in its OH&S performance. 
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4.2 OH&S Policy 


Managei 

nent review 

/ Psi/ins / Feedback from 

Audit-► / u c y / - measuring 

/ / performance 

Plar 

Figure 2 

ining 

— OH&S policy 


a) OHSAS 18001 requirement 


There shall be an occupational health and safety policy authorized by the organization’s top 
management, that clearly states overall health and safety objectives and a commitment to 
improving health and safety performance. 

The policy shall: 

a) be appropriate to the nature and scale of the organization’s OH&S risks; 

b) include a commitment to continual improvement; 

c) include a commitment to at least comply with current applicable OH&S legislation 
and with other requirements to which the organization subscribes; 

d) be documented, implemented and maintained; 

e) be communicated to all employees with the intent that employees are made aware of 
their individual OH&S obligations; 

f) be available to interested parties; and 

g) be reviewed periodically to ensure that it remains relevant and appropriate to the 
organization. 


b)Intent 

An OH&S policy establishes an overall sense of direction and sets the principles of action for an 
organization. It sets OH&S objectives for OH&S responsibility and performance required 
throughout the organization. It demonstrates the formal commitment of an organization, 
particularly that of the organization’s top management, towards good OH&S management. 
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A documented OH&S policy statement should be produced and authorized by the organization's 
top management. 

NOTE The OH&S policy should be consistent with the organization's overall business policies and with its policies for 
other management disciplines e.g. quality management or environmental management. 


c) Typical inputs 

In establishing the OH&S policy, management should consider the following items: 

— policy and objectives relevant to the organization's business as a whole; 

— OH&S hazards of the organization; 

— legal and other requirements; 

— historical and current OH&S performance by the organization; 

— needs of other interested parties; 

— opportunities and needs for continual improvement; 

— resources needed; 

— contributions of employees; 

— contributions of contractors and other external personnel. 


d) Process 

The organization’s top management should draft and authorize an OH&S policy taking into 
account the points listed below. It is essential that the OH&S policy is communicated and 
promoted by the top management in the organization. 

An effectively formulated and communicated OH&S policy should: 

1) be appropriate to the nature and scale of the organization’s OH&S risks; 

Hazard identification, risk assessment and risk control are at the heart of a successful OH&S 
management system and should be reflected in the organization’s OH&S policy. 

The OH&S policy should be consistent with a vision of the organization’s future. It should be 
realistic and should neither overstate the nature of the risks the organization faces, nor 
trivialize them. 

2) include a commitment to continual improvement; 

Societal expectations are increasing the pressure on organizations to reduce the risk of illness, 
accidents and incidents in the workplace. In addition to meeting legal responsibilities, the 
organization should aim to improve its OH&S performance, and its OH&S management 
system, effectively and efficiently, to meet changing business and regulatory needs. 

Planned performance improvement should be expressed in the OH&S objectives (see 4.3.3) 
and managed through the OH&S management programme (see 4.3.4) although the OH&S 
policy statement may include broad areas for action. 

3) include a commitment to at least conform to current applicable OH&S legislation and with 
other requirements to which the organization subscribes; 
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Organizations are required to conform to applicable OH&S legislation and other OH&S 
requirements. The OH&S policy commitment is a public acknowledgement by the organization 
that it has a duty to conform to, if not exceed, such legislation or other requirements, and that 
it intends doing so. 


NOTE "Other requirements" can mean, for example, corporate or group policies, the organization's own internal 
standards or specifications, or codes of practice to which the organization subscribes. 


4) be documented, implemented and maintained; 

Planning and preparation are the key to successful implementation. Often, OH&S policy 
statements and OH&S objectives are unrealistic because there are inadequate or 
inappropriate resources available to deliver them. Before making any public declarations the 
organization should ensure that any necessary finance, skills and resources are available, and 
that all OH&S objectives are realistically achievable within this framework. 

In order for the OH&S policy to be effective, it should be documented and be periodically 
reviewed for continuing adequacy, and amended or revised if needed. 

5) be communicated to all employees with the intent that employees are made aware of their 
individual OH&S obligations; 

The involvement and commitment of employees is vital for successful OH&S. 

Employees need to be made aware of the effects of OH&S management on the quality of their 
own work environment and should be encouraged to contribute actively to OH&S 
management. 

Employees (at all levels, including management levels) are unlikely to be able to make an 
effective contribution to OH&S management unless they understand their responsibilities and 
are competent to perform their required tasks. 

This requires the organization to communicate its OH&S policies and OH&S objectives to its 
employees clearly, to enable them to have a framework against which they can measure their 
own individual OH&S performance. 


NOTE Many countries have OH&S legislation or regulations that demand consultation and participation of 
employees in their organization’s OH&S management systems. 


6) be available to interested parties; 

Any individual or group (either internal or external) concerned with or affected by the OH&S 
performance of the organization would be particularly interested in the OH&S policy 
statement. Therefore, a process should exist to communicate the OH&S policy to them. The 
process should ensure that interested parties receive the OH&S policy on request but need not 
necessarily provide for unsolicited copies. 

7) be reviewed periodically to ensure that it remains relevant and appropriate to the 
organization. 

Change is inevitable, legislation evolves and societal expectations increase. Consequently, the 
organization’s OH&S policy and management system needs to be reviewed regularly to ensure 
their continuing suitability and effectiveness. 

If changes are introduced, these should be communicated as soon as practicable. 
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e) Typical output 

A typical output is a comprehensive, understandable, OH&S policy that is communicated 
throughout the organization. 


4.3 Planning 


Po 

licy 
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Figure 

i and operation 

3 — Planning 


4.3.1 Planning for hazard identification, risk assessment and risk control 
a) OHSAS 18001 requirement 


The organization shall establish and maintain procedures for the ongoing identification of 
hazards, the assessment of risks, and the implementation of necessary control measures. 
These shall include: 

— routine and non-routine activities; 

— activities of all personnel having access to the workplace (including subcontractors 
and visitors); 

— facilities at the workplace, whether provided by the organization or others. 

The organization shall ensure that the results of these assessments and the effects of these 
controls are considered when setting its OH&S objectives. The organization shall document 
and keep this information up to date. 

The organization’s methodology for hazard identification and risk assessment shall: 

— be defined with respect to its scope, nature and timing to ensure it is proactive rather 
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than reactive; 

— provide for the classification of risks and identification of those that are to be 
eliminated or controlled by measures as defined in 4.3.3 and 4.3.4; 

— be consistent with operating experience and the capabilities of risk control measures 
employed; 

— provide input into the determination of facility requirements, identification of training 
needs and/or development of operational controls; 

— provide for the monitoring of required actions to ensure both the effectiveness and 
timeliness of their implementation. 


b)Intent 

The organization should have a total appreciation of all significant OH&S hazards in its domain, 
after using the processes of hazard identification, risk assessment and risk control. 


NOTE Some reference documents, including BS 8800, use the term "risk assessment" to encompass the entire process of 
hazard identification, determination of risk, and the selection of appropriate risk reduction or risk control measures. 
OHSAS 18001 and OHSAS 18002 refer to the individual elements of this process separately and use the term "risk 
assessment" to refer to the second of its steps, namely the determination of risk. 


The hazard identification, risk assessment and risk control processes and their outputs should be 
the basis of the whole OH&S system. It is important that the links between the hazard 
identification, risk assessment and risk control processes and the other elements of the OH&S 
management system are clearly established and apparent. Sub-clauses 4.3.1c) and 4.3.1e) give 
guidance on the links between the requirements of OHSAS 18001:1999, 4.3.1 and the other 
requirements of OHSAS 18001:1999. 

The purpose of this OHSAS guideline is to establish principles by which the organization can 
determine whether or not given hazard identification, risk assessment and risk control processes 
are suitable and sufficient. It is not the purpose to make recommendations on how these activities 
should be conducted. 

NOTE For further guidance on hazard identification, risk assessment and risk control processes see BS 8800. 


The hazard identification, risk assessment and risk control processes should enable the 
organization to identify, evaluate and control its OH&S risks on an ongoing basis. 

In all cases, consideration should be given to normal and abnormal operations within the 
organization, and to potential emergency conditions. 

The complexity of hazard identification, risk assessment and risk control processes greatly 
depends on factors such as the size of the organization, the workplace situations within the 
organization, and the nature, complexity and significance of the hazards. It is not the purpose of 
OHSAS 18001:1999, 4.3.1, to force small organizations with very limited hazards to undertake 
complex hazard identification, risk assessment and risk control exercises. 

The hazard identification, risk assessment and risk control processes should take into account the 
cost and time of performing these three processes, and the availability of reliable data. 

Information already developed for regulatory or other purposes may be used in these processes. 
The organization may also take into account the degree of practical control it can have over the 
OH&S risks being considered. The organization should determine what its OH&S risks are, taking 
into account the inputs and outputs associated with its current and relevant past activities, 
processes, products and /or services. 
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An organization with no existing OH&S management system can establish its current position 
with regard to OH&S risks by means of an initial review. The aim should be to consider all OH&S 
risks faced by the organization, as a basis for establishing the OH&S management system. An 
organization may wish to consider including (but not limiting itself to) the following items within 
its initial review: 

— legislative and regulatory requirements; 

— identification of the OH&S risks faced by the organization; 

— an examination of all existing OH&S management practices, processes and procedures; 

— an evaluation of feedback from the investigation of previous incidents, accidents and 
emergencies. 

A suitable approach to the initial review can include checklists, interviews, direct inspection and 
measurement, results of previous management system audits or other reviews depending on the 
nature of the activities. 

It is emphasized that an initial review is not a substitute for the implementation of the structured 
systematic approach given in the rest of 4.3.1. 

c) Typical inputs 

Typical inputs include the following items: 

— OH&S legal and other requirements (see 4.3.2); 

— OH&S policy (see 4.2); 

— records of incidents and accidents; 

— non-conformances (see 4.5.2); 

— OH&S management system audit results (see 4.5.4); 

— communications from employees and other interested parties (see 4.4.3); 

— information from employee OH&S consultations, review and improvement activities in 
the workplace (these activities can be either reactive or proactive in nature); 

— information on best practice, typical hazards related to the organization, incidents and 
accidents having occurred in similar organizations; 

— information on the facilities, processes and activities of the organization, including the 
following: 

— details of change control procedures; 

— site plan(s); 

— process flow-charts; 

— inventory of hazardous materials (raw materials, chemicals, wastes, products, 
sub-products); 

— toxicology and other OH&S data; 

— monitoring data (see 4.5.1); 

— workplace environmental data. 
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d) Process 

1) Hazard identification, risk assessment and risk control 

i) General 

Measures for the management of risk should reflect the principle of the elimination of hazards 
where practicable, followed in turn by risk reduction (either by reducing the likelihood of 
occurrence or potential severity of injury or damage), with the adoption of personal protective 
equipment (PPE) as a last resort. Hazard identification, risk assessment and risk control 
processes are key tools in the management of risk. 

Hazard identification, risk assessment and risk control processes vary greatly across 
industries, ranging from simple assessments to complex quantitative analyses with extensive 
documentation. It is for the organization to plan and implement appropriate hazard 
identification, risk assessment and risk control processes that suit its needs and its workplace 
situations, and to assist it to conform to any OH&S legislative requirements. 

Hazard identification, risk assessment and risk control processes should be carried out as 
proactive measures, rather than as reactive ones, i.e. they should precede the introduction of 
new or revised activities or procedures. Any necessary risk reduction and control measures 
that are identified should be implemented before the changes are introduced. 

The organization should keep its documentation, data and records concerning the 
identification of hazards and the assessment and control of risks up-to-date in respect of 
ongoing activities, and also extend them to cover new developments and new or modified 
activities, before these are introduced. 

Hazard identification, risk assessment and risk control processes should not only be applied to 
"normal" operations of plant and procedures, but also to periodic or occasional 
operations/procedures such as plant cleaning and maintenance, or during plant start¬ 
ups/shut-downs. 

The existence of written procedures to control a particular hazardous task does not remove 
the need for the organization to continue to perform hazard identification, risk assessment 
and risk control processes on that operation. 

As well as considering the hazards and risks posed by activities carried out by its own 
personnel, the organization should consider hazards and risks arising from the activities of 
contractors and visitors, and from the use of products or services supplied to it by others. 

ii) Hazard identification, risk assessment and risk control processes 

The hazard identification, risk assessment and risk control processes should be documented 
and should include the following elements: 

— identification of hazards; 

— evaluation of risks with existing (or proposed) control measures in place (taking into 
account exposure to specific hazards, the likelihood of failure of the control measures, and 
the potential severity of consequences of injury or damage); 

— evaluation of the tolerability of residual risk: 

— identification of any additional risk control measures needed; 
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— evaluation of whether the risk control measures are sufficient to reduce the risk to a 
tolerable level. 


Additionally, the processes should include the definition of the following items: 

— the nature, timing, scope, and methodology for any form of hazard identification, risk 
assessment and risk control that is to be used; 

— applicable OH&S legislation or other requirements; 

— the roles and authorities of personnel responsible for performing the processes; 

— the competency requirements and training needs (see 4.4.2) for personnel who are to 
perform the processes. (Depending on the nature or type of processes to be used, it may be 
necessary for the organization to use external advice or services); 

— the use of information from employee OH&S consultations, review and improvement 
activities (these activities can be either reactive or proactive in nature); 

— how consideration should be given to the risk of human error within the processes 
being examined; 

— the hazards posed by materials, plant or equipment that degrade over time, 
particularly when such materials, plant, or equipment is in storage. 

iii) Subsequent actions 

Following the performance of the hazard identification, risk assessment and risk control 
processes: 

— there should be clear evidence that any corrective or preventive actions (see 4.5.2) 
identified as being necessary are monitored for their timely completion (these may require 
that further hazard identification and risk assessments be conducted, to reflect proposed 
changes to risk control measures and to determine revised estimates of the residual risks) ; 

— feedback on the results, and on progress in the completion of corrective or preventive 
actions, should be provided to management, as input for management review (see 4.6) and 
for the establishment of revised or new OH&S objectives; 

— the organization should be in a position to determine whether the competency of 
personnel performing specific hazardous tasks is consistent with that specified by the risk 
assessment process in establishing the necessary risk controls; 

— feedback from subsequent operating experience should be used to amend the processes, 
or the data on which they are based, as applicable. 


2) Review of hazard identification, risk assessment and risk controls (see also 4.6) 

The hazard identification, risk assessment and risk control process should be reviewed at a 
pre-determined time or period as set out in the OH&S policy document or at a time pre¬ 
determined by management. This period can vary depending on the following considerations: 

— the nature of the hazard; 
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— the magnitude of the risk; 

— changes from normal operation; 

— changes in feedstocks, raw materials, chemicals, etc. 


The review should also take place if changes within the organization call into question the 
validity of the existing assessments. Such changes can include the following elements: 

— expansion, contraction, restructuring; 

— reapportioning of responsibilities; 

— changes to methods of working or patterns of behaviour. 


e) Typical outputs 

There should be documented procedure(s) for the following elements: 

— identification of hazards; 

— determination of the risks associated with the identified hazards; 

— indication of the level of the risks related to each hazard, and whether they are, or are not, 
tolerable; 

— description of, or reference to, the measures to monitor and control the risks (see 4.4.6 and 
4.5.1), particularly risks that are not tolerable; 

— where appropriate, the OH&S objectives and actions to reduce identified risks (see 4.3.3), 
and any follow-up activities to monitor progress in their reduction; 

— identification of the competency and training requirements to implement the control 
measures (see 4.4.2); 

— necessary control measures should be detailed as part of the operational control element of 
the system (4.4.6); 

— records generated by each of the above mentioned procedures. 

NOTE Some reference documents, including BS 8800, use the term "risk assessment" to encompass the 
entire process of hazard identification, determination of risk, and the selection of appropriate risk reduction 
or risk control measures. OHSAS 18001 and OHSAS 18002 refer to the individual elements of this process 
separately and use the term "risk assessment" to refer to the second of its steps, namely the determination of 
risk. 


4.3.2 Legal and other requirements 
a) OHSAS 18001 requirement 


The organization shall establish and maintain a procedure for identifying and accessing the 
legal and other OH&S requirements that are applicable to it. 

The organization shall keep this information up-to-date. It shall communicate relevant 
information on legal and other requirements to its employees and other relevant interested 
parties. 
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b)Intent 

The organization needs to be aware of and understand how its activities are, or will be, affected by 
applicable legal and other requirements, and to communicate this information to relevant personnel. 

This requirement of 4.3.2 from OHSAS 18001:1999 is intended to promote awareness and 
understanding of legal responsibilities. It is not intended to require the organization to establish 
libraries of legal or other documents that are rarely referenced or used. 


c) Typical inputs 

Typical inputs include the following items: 

— details of the organization's production or service realization processes; 

— hazard identification, risk assessment and risk control results (see 4.3.1); 

— best practices (e.g. codes, industry association guidelines); 

— legal requirements/governmental regulations; 

— listing of information sources; 

— national, foreign, regional or international standards; 

— internal organizational requirements; 

— requirements of interested parties. 

d) Process 

Relevant legislation and other requirements should be identified. Organizations should seek out 
the most appropriate means for accessing the information, including the media supporting the 
information (e.g. paper, CD, disk, internet). The organization should also evaluate which 
requirements apply and where they apply, and who needs to receive which kind of information in 
the organization. 

e) Typical outputs 

Typical outputs include the following items: 

— procedures for identifying and accessing information; 

— identification of which requirements apply and where [this can take the form of a 
register(s)]; 

— requirements (actual text, summary or analysis, where appropriate), available in locations 
which are to be decided by the organization; 

— procedures for monitoring the implementation of controls consequent to new OH&S 
legislation. 
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4.3.3 Objectives 

a) OHSAS 18001 requirement 


The organization shall establish and maintain documented occupational health and safety 
objectives, at each relevant function and level within the organization. 

NOTE Objectives should be quantified wherever practicable. 

When establishing and reviewing its objectives, an organization shall consider its legal and 
other requirements, its OH&S hazards and risks, its technological options, its financial, 
operational and business requirements, and the views of interested parties. The objectives 
shall be consistent with the OH&S policy, including the commitment to continual 
improvement. 


b) Intent 

It is necessary to ensure that, throughout the organization, measurable OH&S objectives are 
established to enable the OH&S policy to be achieved. 

c) Typical inputs 

Typical inputs include the following items: 

— policy and objectives relevant to the organization's business as a whole; 

— OH&S policy, including the commitment to continual improvement (see 4.2); 

— results of hazard identification, risk assessment and risk control (see 4.3.1); 

— legal and other requirements (see 4.3.2); 

— technological options; 

— financial, operational and business requirements; 

— views of employees and interested parties (see 4.4.3); 

— information from employee OH&S consultations, reviews and improvement activities in 
the workplace (these activities can be either reactive or proactive in nature); 

— analysis of performance against previously established OH&S objectives; 

— past records of OH&S nonconformances, accidents, incidents, and property damage; 

— results of the management review (see 4.6). 


d) Process 

Using information or data from the "Typical inputs" described above, appropriate levels of 
management should identify, establish and prioritize OH&S objectives. 

During the establishment of OH&S objectives, particular regard should be given to information or 
data from those most likely to be affected by individual OH&S objectives, as this can assist in 
ensuring that they are reasonable and more widely accepted. It is also useful to consider 
information or data from sources external to the organization, e.g. from contractors or other 
interested parties. 
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Meetings by the appropriate levels of management for the establishment of OH&S objectives 
should be held regularly (e.g. at least on an annual basis). 

For some organizations, there can be a need to document the process of establishing the OH&S 
objectives. 

The OH&S objectives should address both broad corporate OH&S issues and OH&S issues that are 
specific to individual functions and levels within the organization. 

Suitable indicators should be defined for each OH&S objective. These indicators should allow for 
the monitoring of the implementation of the OH&S objectives. 

OH&S objectives should be reasonable and achievable, in that the organization should have the 
ability to reach them and monitor progress. A reasonable and achievable time scale should be 
defined for the realization of each OH&S objective. 

OH&S objectives may be broken down into separate goals, depending on the size of the 
organization, the complexity of the OH&S objective and its time-scale. There should be clear links 
between the various levels of goals and OH&S objectives. 

Examples of types of OH&S objectives include: 

— reduction of risk levels; 

— the introduction of additional features into the OH&S management system; 

— the steps taken to improve existing features, or the consistency of their application; 

— the elimination or the reduction in frequency of particular undesired incident(s). 


The OH&S objectives should be communicated (e.g. via training or group briefing sessions; 
see 4.4.2) to relevant personnel, and be deployed through the OH&S management programme(s) 
(see 4.3.4). 

e) Typical outputs 

Typical outputs include documented, measurable, OH&S objectives for each function in the 
organization. 


4.3.4 OH&S management programme(s) 
a) OHSAS 18001 requirement 


The organization shall establish and maintain (an) OH&S management programme(s) for 
achieving its objectives. This shall include documentation of: 

a) the designated responsibility and authority for achievement of the objectives at 
relevant functions and levels of the organization; and 

b) the means and time-scale by which objectives are to be achieved. 

The OH&S management programme(s) shall be reviewed at regular and planned intervals. 
Where necessary the OH&S management programme(s) shall be amended to address changes 
to the activities, products, services, or operating conditions of the organization. 
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b) Intent 

The organization should seek to achieve its OH&S policy and OH&S objectives by estabhshing an 
OH&S management programme(s). This will require the development of strategies and plans of actions 
to be taken, which should be documented and communicated. Progress against meeting the OH&S 
objectives should be monitored, reviewed and recorded, and the strategies and plans should be updated 
or amended accordingly. 

c) Typical inputs 

Typical inputs include the following items: 

— OH&S policy and OH&S objectives; 

— reviews of legal and other requirements; 

— results of hazard identification, risk assessment and risk control: 

— details of the organization’s production or service realization processes; 

— information from employee OH&S consultations , review and improvement activities in 
the workplace (these activities can be either reactive or proactive in nature); 

— reviews of opportunities available from new, or different, technological options; 

— continual improvement activities; 

— availability of resources needed to achieve the organization’s OH&S objectives. 


d) Process 

The OH&S management programme should identify the individuals who are responsible for 
delivering the OH&S objectives (at each relevant level). It should also identify the various tasks 
which need to be implemented in order to meet each OH&S objective. 

It should provide for the allocation of appropriate responsibility and authority for each task and 
allocate time-scales to each individual task, in order to meet the overall time-scale of the related 
OH&S objective. It should also provide for the allocation of suitable resources (e.g. financial, 
human, equipment, logistics) to each task. 

The programme can also relate to specific training programmes (see 4.4.2). The training 
programmes will further provide for the distribution of information and co-ordinate supervision. 

Where significant alterations or modifications in working practices, processes, equipment or 
material are expected, the programme should provide for new hazard identification and risk 
assessment exercises. The OH&S management programme should provide for consultation of 
relevant personnel on expected changes. 

e) Typical outputs 

Typical outputs include defined, documented OH&S management programme(s). 
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4.4 Implementation and operation 
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4.4.1 Structure and responsibilities 
a) OHSAS 18001 requirement 


The roles, responsibilities and authorities of personnel who manage, perforin and verify 
activities having an effect on the OH&S risks of the organization’s activities, facilities and 
processes, shall be defined, documented and communicated in order to facilitate OH&S 
management. 

Ultimate responsibility for occupational health and safety rests with top management. The 
organization shall appoint a member of top management (e.g. in a large organization, a board 
or executive committee member) with particular responsibility for ensuring that the OH&S 
management system is properly implemented and performing to requirements in all locations 
and spheres of operation within the organization. 

Management shall provide resources essential to the implementation, control and 
improvement of the OH&S management system. 

NOTE Resources include human resources and specialized skills, technology and financial resources. 

The organization’s management appointee shall have defined roles, responsibilities and 
authority for: 

a) Ensuring that OH&S management system requirements are established, 
implemented and maintained in accordance with this OHSAS specification; 

b) Ensuring that reports on the performance of the OH&S management system are 
presented to top management for review and as a basis for improvement of the 
OH&S management system. 
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All those with management responsibility shall demonstrate their commitment to the 
continual improvement of OH&S performance. 


b) Intent 

To facilitate effective OH&S management it is necessary that roles, responsibilities and 
authorities are defined, documented and communicated, and that adequate resources are provided 
to enable OH&S tasks to be performed. 

c) Typical inputs 

Typical inputs include the following: 

— organizational structure/organigram; 

— hazard identification, risk assessment and risk control results; 

— OH&S objectives; 

— legal and other requirements; 

— job descriptions; 

— listings of qualified personnel. 

d) Process 

1) Overview 

The responsibilities and authority of all persons who perform duties that are part of the 
OH&S management system should be defined, including clear definitions of responsibilities at 
the interfaces between different functions. 

Such definitions can, among others, be required for the following people: 

— top management; 

— line management at all levels in the organization; 

— process operators and the general workforce; 

— those managing the OH&S of contractors; 

— those responsible for OH&S training; 

— those responsible for equipment that is critical for OH&S; 

— employees with OH&S qualifications, or other OH&S specialists, within the 
organization; 

— employee OH&S representatives on consultative forums. 

However, the organization should communicate and promote the idea that OH&S is the 
responsibility of everyone in the organization, not just the responsibility of those with defined 
OH&S management system duties. 
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2) Defining top management responsibilities 

The responsibility of top management should include defining the organization’s OH&S policy, 
and ensuring that the OH&S management system is implemented. As part of this 
commitment, a specific management appointee with defined responsibilities and authority for 
implementing the OH&S management system should be designated by top management. (In 
large or complex organizations there may be more than one designated appointee.) 

3) Defining management appointee responsibilities 

The OH&S management appointee should be a member of top management. The OH&S 
management appointee may be supported by other personnel who have delegated 
responsibilities for monitoring the overall operation of the OH&S function. However, the 
management appointee should be regularly informed of the performance of the system, and 
should retain active involvement in periodic reviews and the setting of OH&S objectives. It 
should be ensured that any other duties or functions assigned to these personnel do not 
conflict with the fulfilment of their OH&S responsibilities. 

4) Defining line management responsibilities 

Line management responsibility should include ensuring that OH&S is managed within their 
area of operations. Where prime responsibility for OH&S matters rests with line 
management, the role and responsibilities of any specialist OH&S function within the 
organization should be appropriately defined to avoid ambiguity with respect to 
responsibilities and authorities. This should include arrangements to resolve any conflict 
between OH&S issues and productivity considerations by escalation to a higher level of 
management. 

5) Documentation of roles and responsibilities 

OH&S responsibilities and authorities should be documented in a form appropriate to the 
organization. This can take one or more of the following forms, or an alternative of the 
organization’s choosing: 

— OH&S management system manuals; 

— working procedures and task descriptions; 

— job descriptions; 

— induction training package. 


If the organization chooses to issue written job descriptions covering other aspects of 
employees’ roles and responsibilities, then OH&S responsibilities should be incorporated into 
those job descriptions. 

6) Communication of roles and responsibilities 

OH&S responsibilities and authorities need to be effectively communicated to all those whom 
they affect at all levels within the organization. This should ensure that individuals 
understand the scope and the interfaces between the various functions, and the channels to be 
used to initiate action. 

7) Resources 

Management should ensure that adequate resources are available for the maintenance of a 
safe workplace, including equipment, human resources, expertise and training. 


© BSI 02-2000 


21 



OHSAS 18002:2000 


Resources can be considered adequate if they are sufficient to carry out OH&S programmes 
and activities, including performance measurement and monitoring. 

For organizations with established OH&S management systems, the adequacy of resources 
can be at least partially evaluated by comparing the planned achievement of OH&S objectives 
with actual results. 

8) Management commitment 

Managers should provide visible demonstration of their commitment to OH&S. Means of 
demonstration can include visiting and inspecting sites, participating in accident 
investigation, and providing resources in the context of corrective action, attendance at OH&S 
meetings, and issuing messages of support. 


e) Typical outputs 

Typical outputs include the following: 

— definitions of OH&S responsibilities and authorities for all relevant personnel; 

— documentation of roles/responsibilities in manuals/procedures/training packages; 

— process for communicating roles and responsibilities to all employees and other relevant 
parties; 

— active management participation and support for OH&S, at all levels. 


4.4.2 Training, awareness and competence 
a) OHSAS 18001 requirement 


Personnel shall be competent to perform tasks that may impact on OH&S in the workplace. 
Competence shall be defined in terms of appropriate education, training and/or experience. 

It shall establish and maintain procedures to ensure that its employees working at each 
relevant function and level are aware of: 

— the importance of conformance to the OH&S policy and procedures, and to the 
requirements of the OH&S management system; 

— the OH&S consequences, actual or potential, of their work activities and the OH&S 
benefits of improved personal performance; 

— their roles and responsibilities in achieving conformance to the OH&S policy and 
procedures and to the requirements of the OH&S management system, including 
emergency preparedness and response requirements (see 4.4.7); 

— the potential consequences of departure from specified operating procedures. 
Training procedures shall take into account differing levels of: 

— responsibility, ability and literacy; and 

— risk. 


22 


© BSI 02-2000 




OHSAS 18002:2000 


b)Intent 

Organizations should have effective procedures for ensuring the competence of personnel to carry 
out their designated functions. 


c) Typical inputs 

Typical inputs include the following items: 

— definitions of roles and responsibilities; 

— job descriptions (including details of hazardous tasks to be performed); 

— employee performance appraisals; 

— hazard identification, risk assessment and risk control results; 

— procedures and operating instructions; 

— OH&S policy and OH&S objectives; 

— OH&S programmes. 

d) Process 

The following elements should be included in the process: 

— a systematic identification of the OH&S awareness and competencies required at each 
level and function within the organization; 

— arrangements to identify and remedy any shortfalls between the level currently possessed 
by the individual and the required OH&S awareness and competency; 

— provision of any training identified as being necessary, in a timely and systematic manner; 

— assessment of individuals to ensure that they have acquired, and that they maintain, the 
knowledge and competency required; 

— maintenance of appropriate records of an individual’s training and competency. 


An OH&S awareness and training programme should be established and maintained to address 
the following areas: 

— an understanding of the organization’s OH&S arrangements and individuals’ specific roles 
and responsibilities for them; 

— a systematic programme of induction and ongoing training for employees and those who 
transfer between divisions, sites, departments, areas, jobs or tasks within the organization; 

— training in local OH&S arrangements and hazards, risks, precautions to be taken and 
procedures to be followed, this training being provided before work commences; 

— training for performing hazard identification, risk assessment and risk control 
(see 4.3.Id); 

— specific in-house or external training which can be required for employees with specific 
roles in the OH&S system, including employee OH&S representatives; 
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— training for all individuals who manage employees, contractors and others (e.g. temporary 
workers), in their OH&S responsibilities. This is to ensure that both they and those under 
their control understand the hazards and risks of the operations for which they are 
responsible, wherever they take place. Additionally, this is to ensure that personnel have the 
competencies necessary to carry out the activities safely, by following OH&S procedures; 

— the roles and responsibilities (including corporate and individual legal responsibilities) of 
top management for ensuring that the OH&S management system functions to control risks 
and minimize illness, injury and other losses to the organization; 

— training and awareness programmes for contractors, temporary workers and visitors, 
according to the level of risk to which they are exposed. 


The effectiveness of training and the resulting level of competency should be evaluated. This can 
involve assessment as part of the training exercise, and/or appropriate field checks to establish 
whether competency has been attained, or to monitor the longer term impact of training delivered. 

e) Typical outputs 

Typical outputs include the following items: 

— competency requirements for individual roles; 

— analysis of training needs; 

— training programmes/plans for individual employees; 

— range of training courses/products available for use within the organization; 

— training records, and records of evaluation of the effectiveness of training. 


4.4.3 Consultation and communication 
a) OHSAS 18001 requirement 


The organization shall have procedures for ensuring that pertinent OH&S information is 
communicated to and from employees and other interested parties. 

Employee involvement and consultation arrangements shall be documented and interested 
parties informed. 

Employees shall be: 

— involved in the development and review of policies and procedures to manage risks; 

— consulted where there are any changes that affect workplace health and safety; 

— represented on health and safety matters; and 

informed as to who is their employee OH&S representative(s) and specified management 
appointee (see 4.4.1). 
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b) Intent 

The organization should encourage participation in good OH&S practices, and support for its 
OH&S policy and OH&S objectives, from all those affected by its operations, by a process of 
consultation and communication. 

c) Typical inputs 

Typical inputs include the following items: 

— OH&S policy and OH&S objectives; 

— relevant OH&S management system documentation 

— hazard identification, risk assessment and risk control procedures; 

— definitions of OH&S roles and responsibilities; 

— results of formal employee OH&S consultations with management; 

— information from employee OH&S consultations, review and improvement activities in the 
workplace (these activities can be either reactive or proactive in nature); 

— training programme details. 


d) Process 

The organization should document and promote the arrangements by which it consults on and 
communicates pertinent OH&S information to and from its employees and other interested parties 
(e.g. contractors, visitors). 

This should include arrangements to involve employees in the following processes: 

— consultation over the development and review of policies, the development and review of 
OH&S objectives, and decisions on the implementation of processes and procedures to manage 
risks, including the carrying out of hazard identification, and in reviewing risk assessments 
and risk controls relevant to their own activities; 

— consultation over changes affecting workplace OH&S such as the introduction of new, or 
modified, equipment, materials, chemicals, technologies, processes, procedures or work 
patterns. 

Employees should be represented on OH&S matters, and should be informed as to who is their 
employee representative, and the specified management appointee. 

e) Typical outputs 

Typical outputs include the following: 

— formal management and employee consultations through OH&S councils and similar 
bodies; 

— employee involvement in hazard identification, risk assessment and risk control; 

— initiatives to encourage employee OH&S consultations, review and improvement activities 
in the workplace, and feedback to management on OH&S issues; 
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— employee OH&S representatives with defined roles and communication mechanisms with 
management, including, for example, involvement in accident and incident investigations, site 
OH&S inspections etc.; 

— OH&S briefings for employees and other interested parties, e.g. contractors or visitors; 

— notice boards containing OH&S performance data, and other pertinent OH&S information; 

— OH&S newsletter; 

— OH&S poster programme. 

4.4.4 Documentation 

a) OHSAS 18001 requirement 

The organization shall establish and maintain information, in a suitable medium such as 
paper or electronic form, that: 

a) describes the core elements of the management system and their interaction; and 

b) provides direction to related documentation. 

NOTE It is important that documentation is kept to the minimum required for effectiveness and efficiency. 


b) Intent 

The organization should document and maintain up-to-date sufficient documentation to ensure 
that its OH&S management system can be adequately understood and effectively and efficiently 
operated. 

c) Typical inputs 

Typical inputs include the following items: 

— details of the documentation and information systems the organization develops to 
support its OH&S management system and OH&S activities, and to fulfil the requirements of 
OHSAS 18001:1999; 

— responsibilities and authorities; 

— information on the local environments in which documentation or information is used, 
and constraints that this can put on the physical nature of documentation, or the use of 
electronic or other media. 


d) Process 

The organization should review its documentation and information needs for the OH&S 
management system, before developing the documentation necessary to support its OH&S 
processes. 

There is no requirement to develop documentation in a particular format in order to conform to 
OHSAS 18001, nor is it necessary to replace existing documentation such as manuals, procedures, 
or work instructions where these adequately describe current arrangements. If the organization 
already has an established, documented OH&S management system, it can prove more convenient 
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and effective for it to develop, for example, an overview document describing the inter-relation 
between its existing procedures and the requirements of OHSAS 18001:1999. 

Account should be taken of the following: 

— the responsibilities and authorizations of the users of the documentation and information, 
as this should lead to consideration of the degree of security and accessibility that can need to 
be imposed, particularly with electronic media, and change controls (see 4.4.5); 

— the manner in which physical documentation is used, and the environment in which it is 
used, as this can require consideration of the format in which it is presented. Similar 
consideration should be given concerning the use of electronic equipment for information 
systems. 

e) Typical outputs 

Typical outputs include the following items: 

— OH&S management system documentation overview document or manual: 

— document registers, master lists or indexes; 

— procedures; 

— work instructions. 


4.4.5 Document and data control 

a) OHSAS 18001 requirement 


The organization shall establish and maintain procedures for controlling all documents and data 

required by this OHSAS specification to ensure that: 

a) they can be located; 

b) they are periodically reviewed, revised as necessary and approved for adequacy by 
authorized personnel; 

c) current versions of relevant documents and data are available at all locations where 
operations essential to the effective functioning of the OH&S system are performed; 

d) obsolete documents and data are promptly removed from all points of issue and points of 
use or otherwise assured against unintended use; and 

e) archival documents and data retained for legal and knowledge preservation purposes or 
both, are suitably identified. 


b)Intent 

All documents and data containing information critical to the operation of the OH&S management 
system and the performance of the organization's OH&S activities, should be identified and 
controlled. 
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c) Typical inputs 

Typical inputs include the following items: 

— details of the documentation and data systems the organization develops to support its 
OH&S management system and OH&S activities, and to fulfil the requirements of OHSAS 
18001:1999; 

— details of responsibilities and authorities. 


d) Process 

Written procedures should define the controls for the identification, approval, issue and removal of 
OH&S documentation, together with the control of OH&S data, (in accordance with the 
requirements of 4.4.5 from OHSAS 18001 above). These procedures should clearly define the 
categories of documentation and data to which they apply. 

Documentation and data should be available and accessible when required, under routine and non¬ 
routine conditions, including emergencies. For example this should include ensuring that up-to- 
date plant engineering drawings, hazardous material data sheets, procedures and instructions are 
available to process operators, and all who can require them in an emergency. 

e) Typical outputs 

Typical outputs include the following items: 

— document control procedure, including assigned responsibilities and authorities; 

— document registers, master lists or indexes; 

— list of controlled documentation and its location; 

— archive records (some of which can need to be held in accordance with legal or other time 
requirements). 


4.4.6 Operational control 

a) OHSAS 18001 requirement 


The organization shall identify those operations and activities that are associated with identified 
risks where control measures need to be apphed. The organization shall plan these activities, 
including maintenance, in order to ensure that they are carried out under specified conditions by: 

a) establishing and maintaining documented procedures to cover situations where their 
absence could lead to deviations from the OH&S policy and the objectives; 

b) stipulating operating criteria in the procedures; 

c) establishing and maintaining procedures related to the identified OH&S risks of 
goods, equipment and services purchased and/or used by the organization and 
communicating relevant procedures and requirements to suppliers and contractors; 

d) establishing and maintaining procedures for the design of workplace, process, 
installations, machinery, operating procedures and work organization, including 
their adaptation to human capabilities, in order to eliminate or reduce OH&S risks 
at their source. 
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b) Intent 

The organization should establish and maintain arrangements to ensure the effective application 
of control and counter measures, wherever these are required to control operational risks, fulfil the 
OH&S policy and OH&S objectives, and conform to legal and other requirements. 

c) Typical inputs 

Typical inputs include the following items: 

— OH&S policy and OH&S objectives; 

— hazard identification, risk assessment and risk control results; 

— identified legal and other requirements. 


d) Process 

The organization should establish procedures to control its identified risks (including those that 
could be introduced by contractors or visitors), documenting these in instances where a failure to 
do so could lead to incidents, accidents or other deviations from the OH&S policy and OH&S 
objectives. The risk control procedures should be reviewed on a regular basis for their suitability 
and effectiveness, and changes that are identified as being necessary should be implemented. 

Account can need to be taken in the procedures of situations where the risks extend into client or 
other external party premises or areas of control: for example, when employees of the organization 
are working at a client's site. It can sometimes be necessary to enter into consultation with the 
external party on OH&S in such circumstances. 

Some examples of areas in which risks typically arise, and some examples of control measures 
against them are given below. 

1) Purchase or transfer of goods and services and use of external resources 

This includes the following items: 

— approval to purchase or transfer hazardous chemicals, materials and substances; 

— availability of documentation for the safe handling of machinery, equipment, materials, or 
chemicals at time of purchase, or the need to obtain such documentation; 

— evaluation, and periodic re-evaluation of the OH&S competence of contractors; 

— approval of the design of OH&S provisions for new plant or equipment. 


2) Hazardous tasks 

This includes the following: 

— identification of hazardous tasks; 

— pre-determination and approval of working methods; 

— pre-qualification of personnel for hazardous tasks; 

— permit-to-work systems, and procedures controlling the entry and exit of personnel to 
hazardous work sites. 
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3) Hazardous materials 

This includes the following: 

— identification of inventories, and storage locations; 

— safe storage provisions and control of access; 

— provision and access to material safety data and other relevant information. 

4) Maintenance of safe plant and equipment 

This includes the following: 

— provision, control and maintenance of the organization's plant and equipment; 

— provision, control and maintenance of PPE; 

— segregation and control of access; 

— inspection and testing of OH&S related equipment and high integrity systems such as: 

— operator protection systems; 

— guarding and physical protection; 

— shutdown systems; 

— fire detection and suppression equipment; 

— handling equipment (cranes, forklifts, hoists and other lifting devices); 

— radiological sources and safeguards; 

— essential monitoring devices; 

— local exhaust ventilation systems; 

— medical facilities and provisions. 

e) Typical outputs 

Typical outputs include the following items: 

— procedures; 

— work instructions. 

4.4.7 Emergency preparedness and response 
a) OHSAS 18001 requirement 

The organization shall establish and maintain plans and procedures to identify the potential for, 
and responses to, incidents and emergency situations, and for preventing and mitigating the likely 
illness and injury that may be associated with them. 

The organization shall review its emergency preparedness and response plans and procedures, 
in particular, after the occurrence of incidents or emergency situations. 

The organization shall also periodically test such procedures where practicable. 
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b) Intent 

The organization should actively assess potential accident and emergency response needs, plan to 
meet them, develop procedures and processes to cope with them, test its planned responses, and 
seek to improve the effectiveness of its responses. 

c) Typical inputs 

Typical inputs include the following items: 

— hazard identification, risk assessment and risk control results; 

— availability of local emergency services, and details of any emergency response or 
consultation arrangements that have been agreed; 

— legal or other requirements; 

— experiences of previous accidents, incidents and emergency situations; 

— similar organizations' experiences from previous accidents, incidents and emergency 
situations (lessons learned, best practices); 

— reviews of emergency and practice drills performed and the results of subsequent actions. 


d) Process 

The organization should develop an emergency plan(s), identify and provide appropriate 
emergency equipment, and regularly test its response capability through practice drills. 

Practice drills should aim to test the effectiveness of the most critical parts of the emergency 
plan(s) and to test the completeness of the emergency planning process. While desktop exercises 
can be useful during the planning process, practice drills should be as realistic as possible to be 
effective. This can require full-scale incident simulations to be conducted. 

The results of emergencies and practice drills should be evaluated, and changes that are identified 
as being necessary should be implemented. 

1) Emergency plan 

The emergency plan(s) should outline the actions to be taken when specified emergency 
situations arise, and should include the following: 

— identification of potential accidents and emergencies; 

— identification of the person to take charge during the emergency; 

— details of actions to be taken by personnel during an emergency, including those 
actions to be taken by external personnel who are on the site of the emergency, such as 
contractors or visitors (who can be required, for example, to move to specified assembly 
points); 

— responsibility, authority and duties of personnel with specific roles during the 
emergency (e.g. fire-wardens, first-aid staff, nuclear leak/toxic spillage specialists); 

— evacuation procedures; 

— identification and location of hazardous materials, and emergency action required; 

— interface with external emergency services; 
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— communication with statutory bodies; 

— communication with neighbours and the public; 

— protection of vital records and equipment; 

— availability of necessary information during the emergency e.g. plant layout drawings, 
hazardous material data, procedures, work instructions and contact telephone numbers. 

The involvement of external agencies in emergency planning and response should be clearly 
documented. These agencies should be advised as to the possible circumstances of their 
involvement and provided with such information as they require to facilitate their 
involvement in response activities. 

2) Emergency equipment 

Emergency equipment needs should be identified, and equipment should be provided in 
adequate quantity. This should be tested at specified intervals for continuing operability. 

Examples include the following items: 

— alarm systems; 

— emergency lighting and power; 

— means of escape; 

— safe refuges; 

— critical isolation valves, switches and cut-outs; 

— fire-fighting equipment; 

— first aid equipment (including emergency showers, eye wash stations, etc.); 

— communication facilities. 

3) Practice drills 

Practice drills should be carried out according to a pre-determined schedule. Where 
appropriate and practicable, the participation of external emergency services in practice drills 
should be encouraged. 

e) Typical outputs 

Typical outputs include the following items: 

— documented emergency plans and procedures; 

— emergency equipment list; 

— test records for emergency equipment; 

— records of the following: 

— practice drills; 

— reviews of practice drills; 

— recommended actions arising from the reviews; 

— progress against the achievement of recommended actions. 
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4.5 Checking and corrective action 
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4.5.1 Performance measurement and monitoring 
a) OHSAS 18001 requirement 


The organization shall establish and maintain procedures to monitor and measure OH&S 
performance on a regular basis. These procedures shall provide for: 

— both qualitative and quantitative measures, appropriate to the needs of the 
organization; 

— monitoring of the extent to which the organization’s OH&S objectives are met; 

— proactive measures of performance that monitor compliance with the OH&S 
management programme, operational criteria and applicable legislation and regulatory 
requirements; 

— reactive measures of performance to monitor accidents, ill health, incidents (including 
near-misses) and other historical evidence of deficient OH&S performance; 

— recording of data and results of monitoring and measurement sufficient to facilitate 
subsequent corrective and preventative action analysis. 

If monitoring equipment is required for performance measurement and monitoring, the 
organization shall establish and maintain procedures for the calibration and maintenance of 
such equipment. Records of calibration and maintenance activities and results shall be 
retained. 
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b)Intent 

The organization should identify key performance parameters for its OH&S performance across 
the whole organization. These should include, but not be limited to, parameters that determine 
whether: 

— OH&S policy and OH&S objectives are being achieved; 

— risk controls have been implemented and are effective; 

— lessons are being learnt from OH&S management system failures, including hazardous 
events (accidents, near misses and illness cases); 

— awareness, training, communication and consultation programmes for employees and 
interested parties are effective; 

— information that can be used to review and/or improve aspects of the OH&S management 
system is being produced and being used. 


c) Typical inputs 

Typical inputs include the following items: 

— hazard identification, risk assessment and risk control results (see 4.3.1); 

— legislation requirements, regulations, best practices (if any); 

— OH&S policy and OH&S objectives; 

— procedure for dealing with non-conformances; 

— equipment test and calibration records (including those belonging to contractors); 

— training records (including those belonging to contractors); 

— management reports. 

d) Process 

1) Proactive and reactive monitoring 

An organization’s OH&S management system should incorporate both proactive and reactive 
monitoring as follows: 

— proactive monitoring should be used to check conformity to the organization’s OH&S 
activities, for example by monitoring the frequency and effectiveness of OH&S inspections; 

— reactive monitoring should be used to investigate, analyse and record OH&S 
management system failures — including accidents, incidents (including near misses), ill- 
health and property damage cases. 

Both proactive and reactive monitoring data are often used to determine whether OH&S 
objectives are achieved (see BS 8800:1996, E.3.2 and E.3.3 for further guidance). 

2) Measurement techniques 

The following are examples of methods that can be used to measure OH&S performance: 

— results of hazard identification, risk assessment and risk control processes; 
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— systematic workplace inspections using checklists; 

— OH&S inspections: for example, on a "walk through" basis; 

— prior evaluations of new plant, equipment, materials, chemicals, technologies, 
processes, procedures or work patterns; 

— inspections of specific machinery and plant to check that safety related parts are fitted 
and in good condition; 

— safety sampling: examining specific aspects of OH&S; 

— environmental sampling: measuring exposure to chemical, biological or physical agents 
(e.g. noise, volatile organic compounds, legionella) and comparing with recognized 
standards; 

— availability and effectiveness of use of personnel with recognized OH&S experience or 
formal qualifications; 

— behaviour sampling: assessing workers’ behaviour to identify unsafe work practices 
that might require correction; 

— analysis of documentation and records; 

— benchmarking against good OH&S practices in other organizations; 

— surveys to determine employee attitudes on the OH&S management system, OH&S 
practices, and employee consultation processes. 

Organizations need to decide what to monitor and how often monitoring should take place 
based on the level of risk (see 4.3.1). The frequency of plant or machinery inspections can be 
defined by law (e.g. for air receivers, steam plant, lifting equipment). An inspection schedule 
based on hazard identification and risk assessment results, legislation, and regulations should 
be prepared as part of the OH&S management system. 

Routine OH&S monitoring of processes, workplaces and practices should be carried out according to 
a documented monitoring scheme by front-line or middle managers. All front-line supervisory 
personnel should undertake spot checks of critical tasks in order to assure conformity to OH&S 
procedures and codes of practice. To assist in performing systematic inspections and monitoring, 
checklists can be used. 

3) Inspections 

i) Equipment. An inventory (using unique identification of all items) should be drawn up of all 
equipment subject to statutory or technical examination by relevant personnel (who may be from 
external bodies). Such equipment should be inspected as required, and should be included in the 
inspection schemes. 

ii) Work conditions. Criteria that specify acceptable workplace conditions should be established 
and documented. At specified intervals, managers should perform inspections against these criteria. 

A checklist giving details of the criteria and all items to be inspected may be used for this purpose. 

hi) Verification inspections. Verification inspections should be carried out, but these should not 
absolve front-line managers from carrying out regular inspections, or from identifying hazards. 

iv) Inspection records. A record should be kept of every OH&S inspection carried out. The 
records should indicate whether or not documented OH&S procedures were being conformed to. 
Records of OH&S inspections, tours, surveys, and OH&S management system audits should be 
sampled to identify underlying causes of non-conformity and repetitive hazards. Any necessary 
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preventive action should be taken. Sub-standard conditions and unsafe situations and items 
identified during the inspections should be documented as non-conformances, assessed as to 
risk and corrected in accordance with the non-conformance procedure. 

4) Measuring equipment 

Measuring equipment that is used to assess OH&S conditions (e.g. sound level meters, light 
meters, air samplers) should be listed, identified uniquely, and controlled. The accuracy of 
this equipment should be known. Where necessary, written procedures should be available 
describing how OH&S measurements are performed. Equipment used for OH&S measurement 
should be maintained and stored in a proper manner, and should be capable of giving 
measurements of the accuracy required. 

When required, a calibration scheme should be documented for the measuring equipment. This 
scheme should include the following items: 

— the frequency of calibration; 

— reference to test methods, where applicable; 

— identity of the equipment to be used for the calibration; 

— action to be taken when the specified measuring equipment is found to be out of 
calibration. 

Calibration should be carried out under appropriate conditions. Procedures should be prepared for 
critical or difficult calibrations. 

Equipment used for calibration should be in accordance with national standards where such 
standards exist. If no such standards exist, the basis for the levels used should be documented. 

Records should be kept of all calibrations, maintenance activities and results. Records should give 
details of the measurements before and after adjustment. 

The calibration status of measuring equipment should be clearly identified to the users. 

OH&S measuring equipment whose calibration status is unknown, or which is known to be 
out of calibration, should not be used. Additionally, it should be removed from use, and be 
clearly labelled, tagged, or otherwise marked, to prevent misuse. Such marking should be in 
accordance with written procedures. The procedures should include the identification of the 
calibration status of the product. A non-conformance should be issued to document the actions 
taken. The procedures should include an action plan if out-of-calibration equipment is 
discovered. 

5) Supplier (contractor) equipment 

Measuring equipment used by contractors should be subject to the same controls as in-house 
equipment. Contractors should be required to give assurances that their equipment conforms 
to these requirements. Prior to initiating the work, the supplier should provide a copy of its 
equipment test records for any identified critical equipment that require such records. If any 
tasks require special training, the corresponding training records should be provided to the 
customer for review. 

6) Statistical or other theoretical analytical techniques 

Any statistical or other theoretical analytical technique used to assess an OH&S situation, to 
investigate an OH&S incident or failure, or to assist in decision-making in relation to OH&S should 
be based on sound scientific principles. The management appointee should ensure that the need for 


36 


© BSI 02-2000 



OHSAS 18002:2000 


such techniques is identified. Where appropriate, guidelines for their use should be documented, 
along with the circumstances in which they are appropriate. 

e) Typical outputs 

Typical outputs include the following items: 

— procedure(s) for monitoring and measuring; 

— inspection schedules and checklists; 

— "critical" equipment lists; 

— equipment inspection checklists; 

— workplace conditions standards and inspection checklists; 

— measuring equipment lists; 

— measurement procedures; 

— calibration scheme, and calibration records; 

— maintenance activities and results; 

— completed checklists, inspection reports (OH&S management system audit outputs, 
see 4.5.4); 

— non-conformance reports; 

— evidence of the results of implementing such procedure(s). 


4.5.2 Accidents, incidents, non-conformances and corrective and preventive action 

a) OHSAS 18001 requirement 


The organization shall establish and maintain procedures for defining responsibility and 
authority for: 

a) the handling and investigation of: 

— accidents; 

— incidents; 

— non-conformances; 

b) taking action to mitigate any consequences arising from accidents, incidents or 
non-conformances; 

c) the initiation and completion of corrective and preventive actions; 

d) confirmation of the effectiveness of corrective and preventive actions taken. 

These procedures shall require that all proposed corrective and preventive actions shall be 
reviewed through the risk assessment process prior to implementation. 

Any corrective or preventive action taken to eliminate the causes of actual and potential non¬ 
conformances shall be appropriate to the magnitude of problems and commensurate with the 
OH&S risk encountered. 

The organization shall implement and record any changes in the documented procedures 
resulting from corrective and preventive action. 
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b) Intent 

Organizations should have effective procedures for reporting and evaluating/investigating 
accidents, incidents and non-conformances. The prime purpose of the procedure(s) is to prevent 
further occurrence of the situation by identifying and dealing with the root cause(s). Furthermore, 
the procedures should enable the detection, analysis and elimination of potential causes of non¬ 
conformities. 

c) Typical inputs 

Typical inputs include the following items: 

— procedures (in general): 

— emergency plan; 

— hazard identification, risk assessment and risk control reports; 

— OH&S management system audit reports, including non-conformance reports; 

— accident, incident and/or hazard reports; 

— maintenance and service reports. 


d) Process 

The organization is required to prepare documented procedures to ensure that accidents, incidents 
and non-conformances (see clause 3) are investigated, and corrective and/or preventive actions 
initiated. Progress in the completion of corrective and preventive actions should be monitored, and 
the effectiveness of such actions reviewed. 

1) Procedures 

The procedures should include consideration of the following items: 
i) General 

The procedure should: 

— define the responsibilities and authority of the persons involved in implementing, 
reporting, investigating, follow-up and monitoring of corrective and preventive actions; 

— require that all non-conformances, accidents, incidents and hazards be reported; 

— apply to all personnel (i.e. employees, temporary workers, contractor personnel, 
visitors and any other person in the workplace); 

— take into account property damage; 

— ensure that no employee suffers any hardship as a result of reporting a non¬ 
conformance, accident or incident; 

— clearly define the course of action to be taken following non-conformances identified 
in the OH&S management system. 


ii) Immediate action 

Immediate action to be taken upon observation of non-conformances, accidents, incidents or 
hazards should be known to all parties. The procedures should: 
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— define the process for notification; 

— where appropriate, include co-ordination with emergency plans and procedures; 

— define the scale of investigative effort in relation to the potential or actual harm 
(e.g. include management in the investigation for serious accidents). 

iii) Recording 

Appropriate means should be used to record the factual information and the results of the 
immediate investigation and the subsequent detailed investigation. The organization 
should ensure that the procedures are followed for: 

— recording the details of the non-conformance, accident or hazard; 

— defining where the records are to be stored, and responsibility for the storage. 


iv) Investigation 

The procedures should define how the investigation process should be handled. The 
procedures should identify: 

— the type of events to be investigated (e.g. incidents that could have led to serious 
harm); 

— the purpose of investigations; 

— who is to investigate, the authority of the investigators, required qualifications 
(including line management when appropriate); 

— the root cause of non-conformance; 

— arrangements for witness interviews; 

— practical issues such as availability of cameras and storage of evidence; 

— investigation reporting arrangements including statutory reporting requirements. 


Investigatory personnel should begin their preliminary analysis of the facts while further 
information is collected. Data collection and analysis should continue until an adequate 
and sufficiently comprehensive explanation is obtained. 

v) Corrective action 

Corrective actions are actions taken to eliminate the root cause(s) of identified non¬ 
conformances, accidents or incidents, in order to prevent recurrence. Examples of elements 
to be considered in establishing and maintaining corrective action procedures include: 

— identification and implementation of corrective and preventive measures both for 
the short-term as well as long-term (this can also include the use of appropriate sources 
of information, such as advice from employees with OH&S expertise); 

— evaluation of any impact on hazard identification and risk assessment results (and 
any need to update hazard identification, risk assessment and risk control report(s)); 

— recording any required changes in procedures resulting from the corrective action 
or hazard identification, risk assessment and risk control; 
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— application of risk controls, or modification of existing risk controls, to ensure that 
corrective actions are taken and that they are effective. 


vi) Preventive action 

Examples of elements to be considered in establishing and maintaining preventive action 
procedures include: 

— use of appropriate sources of information (trends in "no loss incidents", OH&S 
management system audit reports, records, updating of risk analyses, new information 
on hazardous materials, safety "walk-throughs", advice from employees with OH&S 
expertise, etc.); 

— identification of any problems requiring preventive action; 

— initiation and implementation of preventive action and the application of controls 
to ensure that it is effective; 

— recording of any changes in procedures resulting from the preventive action and 
submission for approval. 


vii) Follow-up 

Corrective or preventive action taken should be as permanent and effective as practicable. 
Checks should be made on the effectiveness of corrective/preventive action taken. 
Outstanding/overdue actions should be reported to top management at the earliest 
opportunity. 

2) Non-conformance, accident and incident analysis 

Identified causes of non-conformances, accidents and incidents should be classified, and 
analysed on a regular basis. Accident frequency and severity ratings should be calculated in 
accordance with accepted industrial practice for comparison purposes. 

Classification and analysis should be carried out of the following items: 

— reportable or lost-time injury/illness frequency or severity rates; 

— location, injury type, body part, activity involved, agency involved, day, time of day 
(whichever is appropriate); 

— type and amount of property damage; 

— direct, and root causes. 

Due attention should be given to accidents involving property damage. Records relating to repair of 
property could be an indicator of damage caused by an unreported accident/incident. 

Accident and illness data/information are vital, as they can be a direct indicator of OH&S 
performance. However, caution in their use should be exercised as the following points need to 
be considered: 

— most organizations have too few injury accidents or cases of work related illness to 
distinguish real trends from random effects; 

— if more work is done by the same number of people in the same time, increased 
workload alone can account for an increase in accident rates; 


40 


© BSI 02-2000 



OHSAS 18002:2000 


— the length of absence from work attributed through injury or work-related illness can 
be influenced by factors other than the severity of injury or occupational illness, such as 
poor morale, monotonous work and poor management/employee relations; 

— accidents are often under-reported (and occasionally over-reported). Levels of reporting 
can change. They can improve as a result of increased workforce awareness and better 
reporting and recording systems; 

— a time delay will occur between OH&S management system failures and harmful 
effects. Moreover, many occupational diseases have long latent periods. It is not desirable 
to wait for harm to occur before judging whether OH&S management systems are working. 


Valid conclusions should be drawn and corrective action taken. At least annually, this analysis 
should be circulated to top management and included in the management review (see 4.6). 

3) Monitoring and communicating results 

The effectiveness of OH&S investigations and reporting should be assessed. The assessment 
should be objective, and should yield a quantitative result if possible. 

The organization, having learnt from the investigation, should: 

— identify the root causes of deficiencies in the OH&S management system and general 
management of the organization, where applicable; 

— communicate findings and recommendations to management and relevant interested 
parties (see 4.4.3); 

— include relevant findings and recommendations from investigations in the continuing 
OH&S review process; 

— monitor the timely implementation of remedial controls, and their subsequent 
effectiveness over time; 

— apply the lessons learnt from the investigation of non conformances across its whole 
organization, focussing on the broad principles involved, rather than being restricted to 
specific action designed to avoid repetition of a precisely similar event in the same area of 
the organization. 


4) Record keeping 

This can be accomplished rapidly and with a minimum of formal planning or it can be a more 
complex and long-term activity. The associated documentation should be appropriate to the 
level of corrective action. 

Reports and suggestions should be sent to the management appointee, and, where 
appropriate, the employee OH&S representative, for analysis and filing. 

The organization should maintain a register of all accidents. Incidents that had the potential 
for significant OH&S consequences, should also be included. Such a register is often required 
by legislation. 

e) Typical outputs 

Typical outputs include the following items: 

— accident and non-conformance procedure; 
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— non-conformance reports; 

— non-conformance register; 

— investigation reports; 

— updated hazard identification, risk assessment and risk control reports; 

— management review input; 

— evidence of evaluations of the effectiveness of corrective and preventive actions taken. 

4.5.3 Records and records management 

a) OHSAS 18001 requirement 

The organization shall establish and maintain procedures for the identification, maintenance 
and disposition of OH&S records, as well as the results of audits and reviews. 

OH&S records shall be legible, identifiable and traceable to the activities involved. OH&S 
records shall be stored and maintained in such a way that they are readily retrievable and 
protected against damage, deterioration or loss. Their retention times shall be established and 
recorded. 

Records shall be maintained, as appropriate to the system and to the organization, to 
demonstrate conformance to this OHSAS specification. _ 


b) Intent 

Records should be kept to demonstrate that the OH&S management system operates effectively, and 
that processes have been carried out under safe conditions. OH&S records that document the 
management system and conformance to the requirements should be prepared, maintained, legible, and 
adequately identified. 

c) Typical inputs 

Records (used to demonstrate conformance to the requirements) that should be kept include the 
following items: 

— training records; 

— OH&S inspection reports; 

— OH&S management system audit reports; 

— consultation reports; 

— accident/incident reports; 

— accident/incident follow-up reports; 

— OH&S meeting minutes ; 

— medical test reports; 

— health surveillance reports; 

— PPE issues and PPE maintenance records; 

— reports of emergency response drills; 

— management reviews; 

— hazard identification, risk assessment and risk control records. 
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d) Process 

The requirement in OHSAS 18001 is largely self-explanatory. However, additional consideration should 
also be given to the following items: 

— the authority for disposal of OH&S records; 

— the confidentiality of the OH&S records; 

— legal and other requirements on the retention of OH&S records; 

— issues surrounding the use of electronic records. 


OH&S records should be fully filled out, legible, and adequately identified. Retention times for OH&S 
records should be defined. Records should be stored in a safe place, readily retrievable and protected 
from deterioration. Critical OH&S records should be protected from possible fire and other damage as 
appropriate, or as required by law. 

e) Typical outputs 

Typical outputs include the following items: 

— procedure (for the identification, maintenance and disposition of OH&S records); 

— adequately stored and readily retrievable OH&S records. 


4.5.4 Audit 

a) OHSAS 18001 requirement 


The organization shall establish and maintain an audit programme and procedures for 
periodic OH&S management system audits to be carried out, in order to: 

a) determine whether or not the OH&S management system: 

1) conforms to planned arrangements for OH&S management including the 
requirements of this OHSAS specification; 

2) has been properly implemented and maintained; and 

3) is effective in meeting the organization’s policy and objectives; 

b) review the results of previous audits; 

c) provide information on the results of audits to management. 

The audit programme, including any schedule, shall be based on the results of risk 
assessments of the organization’s activities, and the results of previous audits. The audit 
procedures shall cover the scope, frequency, methodologies and competencies, as well as the 
responsibilities and requirements for conducting audits and reporting results. 

Wherever possible, audits shall be conducted by personnel independent of those having direct 
responsibility for the activity being examined. 

NOTE The word "independent" here does not necessarily mean external to the organization. 
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b)Intent 

OH&S management system auditing is a process whereby organizations can review and 
continuously evaluate the effectiveness of their OH&S management system. In general, OH&S 
management system audits need to consider OH&S policy and procedures, and the conditions and 
practices in the workplace. 

An internal OH&S management system audit programme should be established to allow the 
organization to review its own conformity of its OH&S management system to OHSAS 18001. 
Planned OH&S management system audits should be carried out by personnel from within the 
organization and/or by external personnel selected by the organization, to establish the degree of 
conformity to the documented OH&S procedures, and to assess whether or not the system is 
effective in meeting the OH&S objectives of the organization. In either case, the personnel 
conducting the OH&S management system audits should be in a position to do so impartially and 
objectively. 


NOTE Internal OH&S management system audits focus on the performance of the OH&S management system. They 
should not be confused with OH&S or other safety inspections. 


c) Typical inputs 

Typical inputs include the following items: 

— OH&S policy statement; 

— OH&S objectives; 

— OH&S procedures and work instructions; 

— hazard identification, risk assessment and risk control results; 

— legislation and best practices (if applicable); 

— non-conformance reports; 

— OH&S management system audit procedures; 

— competent, independent, internal/external auditor(s); 

— non-conformance procedure. 


d) Process 
1) Audits 

OH&S management system audits provide a comprehensive and formal assessment of the 
organization’s conformity to OH&S procedures and practices. 

OH&S management system audits should be conducted according to planned arrangements. 
Additional audits can need to be performed as circumstances require. 

OH&S management system audits should be carried out only by competent, independent, 
personnel. 

The output of an OH&S management system audit should include detailed assessments of the 
effectiveness of OH&S procedures, the level of compliance with procedures and practices, and 
should, where necessary, identify corrective actions. The results of the OH&S management 
system audits should be recorded and reported to management, in a timely manner. 
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A review of the results should be carried out by management and effective corrective action 
taken (where necessary). 


NOTE The general principles and methodology described in ISO 10011-1, ISO 10011-2, ISO 10011-3, ISO 14010, 
ISO 14011, ISO 14012 or BS 8800:1996, annex F, are appropriate for OH&S management system auditing. 


2) Scheduling 

An annual plan should be prepared for carrying out internal OH&S management system 
audits. The OH&S management system audits should cover the entire operation which is 
subject to the OH&S management system, and assess conformity to OHSAS 18001. 

The frequency and coverage of OH&S management system audits should be related to the 
risks associated with the failure of the various elements of the OH&S management system, 
available data on the performance of the OH&S management system, the output from 
management reviews, and the extent to which the OH&S management system or the 
environment in which it operates are subject to change. 

Additional, unplanned, OH&S management system audits can need to be conducted, if 
situations occur which warrant them, e.g. after an accident. 

3) Management support 

For OH&S management system auditing to be of value, it is necessary that top management 
are fully committed to the concept of OH&S management system auditing and its effective 
implementation within the organization. Top management should consider OH&S 
management system audit findings and recommendations and take appropriate action as 
necessary, within an appropriate time. Once it has been agreed that an OH&S management 
system audit should be carried out it should be completed in an impartial way. All relevant 
personnel should be informed of the purposes of OH&S management system auditing and the 
benefits. Staff should be encouraged to co-operate fully with the auditors and to respond to 
their questions honestly. 

4) Auditors 

One or more persons may undertake OH&S management system audits. A team approach can 
widen involvement and improve co-operation. A team approach can also allow a wider range of 
specialist skills to be utilized. 

Auditors should be independent of the part of the organization or the activity that is to be 
audited. 

Auditors need to understand their task and be competent to carry it out. They need to have 
the experience and knowledge of the relevant standards and systems they are auditing to 
enable them to evaluate performance and identify deficiencies. Auditors should be familiar 
with the requirements set out in any relevant legislation. In addition, auditors should be 
aware of, and have access to, standards and authoritative guidance relevant to the work they 
are engaged in. 
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5) Data collection and interpretation 

The techniques and aids used in the collection of the information will depend on the nature of 
the OH&S management system audit being undertaken. The OH&S management system 
audit should ensure that a representative sample of essential activities is audited and that 
relevant personnel (including employee OH&S representatives, where appropriate) are 
interviewed. Relevant documentation should be examined. This can include the following 
documentation: 

— OH&S management system documentation; 

— OH&S policy statement; 

— OH&S objectives; 

— OH&S and emergency procedures; 

— permit to work systems and procedures; 

— minutes of OH&S meetings; 

— accident/incident reports and records; 

— any reports or communication from the OH&S enforcement or other regulatory bodies 
(verbal, letters, notices, etc.); 

— statutory registers and certificates; 

— training records; 

— previous OH&S management system audit reports; 

— corrective action requests; 

— non-conformance reports. 


Wherever possible checks should be built into the OH&S management system audit 
procedures to help to avoid misinterpretation or misapplication of collected data, information 
or other records. 

6) Audit results 

The content of the final OH&S management system audit report should be clear, precise and 
complete. It should be dated and signed by the auditor. It should, depending on the case, 
contain the following elements; 

— the OH&S management system audit objectives and scope; 

— the particulars of the OH&S management system audit plan, identification of the 
members of the auditing team and the audited representatives, dates of audit and 
identification of the areas subject to audit; 

— the identification of reference documents used to conduct the OH&S management 
system audit (e.g. OHSAS 18001, OH&S management handbook); 

— details of identified non-conformances; 

— the auditor’s assessment of the degree of conformity with OHSAS 18001; 

— the ability of the OH&S management system to achieve the stated OH&S management 
objectives; 

— the distribution of the final OH&S management system audit report. 
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The results of OH&S management system audits should be fed back to all relevant parties as 
soon as possible, to allow corrective actions to be taken. An action plan of agreed remedial 
measures should be drawn up together with identification of responsible persons, completion 
dates and reporting requirements. Follow-up monitoring arrangements should be established to 
ensure satisfactory implementation of the recommendations. 

Confidentiality should be considered when communicating the information contained within 
the OH&S management system audit reports. 

e) Typical outputs 

Typical outputs include the following items: 

— OH&S management system audit plan/program; 

— OH&S management system audit procedures; 

— OH&S management system audit reports, including non-conformance reports, 
recommendations and corrective action requests; 

— signed-off/closed-out non-conformance reports; 

— evidence of the reporting of the results of OH&S management system audits to 
management. 


4.6 Management review 
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a) OHSAS 18001 requirement 


The organization's top management shall, at intervals that it determines, review the OH&S 
management system, to ensure its continuing suitability, adequacy and effectiveness. The 
management review process shall ensure that the necessary information is collected to allow 
management to carry out this evaluation. This review shall be documented. 

The management review shall address the possible need for changes to policy, objectives and other 
elements of the OH&S management system, in the light of OH&S management system audit 
results, changing circumstances and the commitment to continual improvement . _ 


b) Intent 

Top management should review the operation of the OH&S management system to assess whether 
it is being fully implemented and remains suitable for achieving the organization’s stated OH&S 
policy and OH&S objectives. 

The review should also consider whether the OH&S policy continues to be appropriate. It should 
establish new or updated OH&S objectives for continual improvement, appropriate to the coming 
period, and consider whether changes are needed to any elements of the OH&S management 
system. 

c) Typical inputs 

Typical inputs include the following items: 

— accident statistics; 

— results of internal and external OH&S management system audits; 

— corrective actions carried out to the system since the previous review; 

— reports of emergencies (actual or exercises); 

— report from the management appointee on the overall performance of the system; 

— reports from individual line managers on the effectiveness of the system locally; 

— reports of hazard identification, risk assessment and risk control processes. 


d) Process 

Reviews should be carried out by top management, on a regular basis (e.g. annually ). The review 
should focus on the overall performance of the OH&S management system and not on specific 
details, since these should be handled by the normal means within the OH&S management 
system. 

In planning for a management review, consideration should be given to the following: 

— the topics to be addressed; 

— who should attend (managers, OH&S specialist advisors, other personnel); 

— responsibilities of individual participants in respect of the review; 

— information to be brought to the review; 
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The review should address the following subjects: 

— suitability of current OH&S policy; 

— setting or updating of OH&S objectives for continual improvement in the forthcoming 
period; 

— adequacy of current hazard identification, risk assessment and risk control processes; 

— current levels of risk and the effectiveness of existing control measures; 

— adequacy of resources (financial, personnel, material); 

— the effectiveness of the OH&S inspection process; 

— the effectiveness of the hazard reporting process; 

— data relating to accidents and incidents that have occurred; 

— recorded instances of procedures not being effective; 

— results of internal and external OH&S management system audits carried out since the 
previous review and their effectiveness; 

— the state of preparedness for emergency; 

— improvements to the OH&S management system (e.g. new initiatives to be introduced or 
expansion of existing initiatives); 

— output of any investigations into accidents and incidents; 

— an assessment of the effects of foreseeable changes to legislation or technology. 

The management appointee should report to the meeting on the overall performance of the OH&S 
management system. 

Partial reviews of the OH&S management system performance should be held at intervals that are 
more frequent, if required. 

e) Typical outputs 

Typical outputs include the following items: 

— minutes of the review; 

— revisions to the OH&S policy and OH&S objectives; 

— specific corrective actions for individual managers, with target dates for completion; 

— specific improvement actions, with assigned responsibilities and target dates for 
completion; 

— date for review of corrective action; 

— areas of emphasis to be reflected in the planning of future internal OH&S management 
system audits. 
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Annex A (informative) 

Correspondence between OHSAS 18001, BS EN ISO 9001 (Quality systems) 
and BS EN ISO 14001 (Environmental management system) 

The basic principles of management are common irrespective of the activity being managed, be it 
quality, environment, health and safety or other organizational activities. Some organizations can 
see benefits in having an integrated management system, whereas others can prefer to adopt 
different systems based on the same management principles. Table A.l shows the correspondence 
between OHSAS 18001 and BS EN ISO 9001 and BS EN ISO 14001 for those operating either of 
these international management system standards and who now wish to integrate occupational 
health and safety into their management systems. The correspondence is shown for guidance only. 


Table A.1 — Correspondence between OHSAS 18001:1999, ISO 14001:1996 and ISO 9001:1994 


Clause 

OHSAS 18001 

Clause 

ISO 14001:1996 

Clause 

ISO 9001:1994 

1 

Scope 

1 

Scope 

1 

Scope 

2 

Reference publications 

2 

Normative reference 

2 

Normative reference 

3 

Definitions 

3 

Definitions 

3 

Definitions 

4 

OH&S management 
system elements 

4 

Environmental 
management system 
requirements 

4 

Quality system requirements 

4.1 

General requirements 

4.1 

General requirements 

4.2.1 

General (1st sentence) 

4.2 

OH&S policy 

4.2 

Environmental policy 

4.1.1 

Quality policy 

4.3 

Planning 

4.3 

Planning 

4.2 

Quality system 

4.3.1 

Planning for hazard 
identification, risk 
assessment and risk 
control 

4.3.1 

Environmental aspects 

4.2 

Quality system 

4.3.2 

Legal and other 
requirements 

4.3.2 

Legal and other 
requirements 



4.3.3 

Objectives 

4.3.3 

Objectives and targets 

4.2 

Quality system 

4.3.4 

OH&S management 
programme(s) 

4.3.4 

Environmental 

management 

programme(s) 

4.2 

Quality system 

4.4 

Implementation and 
operation 

4.4 

Implementation and 
operation 

4.2 

4.9 

Quality system 

Process control 

4.4.1 

Structure and 
responsibility 

4.4.1 

Structure and 
responsibility 

4.1 

4.1.2 

Management responsibility 
Organization 

4.4.2 

Training, awareness 
and competence 

4.4.2 

Training, awareness and 
competence 

4.18 

Training 

4.4.3 

Consultation and 
communication 

4.4.3 

Communication 



4.4.4 

Documentation 

4.4.4 

Environmental 
management system 
documentation 

4.2.1 

General (without 1st 
sentence) 

4.4.5 

Document and data 
control 

4.4.5 

Document control 

4.5 

Document and data control 
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Table A.1 - continued 


Clause 

OHSAS 18001 

Clause 

ISO 14001:1996 

Clause 

ISO 9001:1994 

4.4.6 

Operational control 

4.4.6 

Operational control 

4.2.2 

4.3 

4.4 

4.6 

4.7 

4.8 

4.9 

4.15 

4.19 

4.20 

Quality system procedures 
Contract review 

Design control 

Purchasing 

Customer supplied product 
Product identification and 
traceability 

Process control 

Handling, storage, packaging, 
preservation and delivery 
Servicing 

Statistical techniques 

4.4.7 

Emergency 
preparedness and 
response 

4.4.7 

Emergency preparedness 
and response 



4.5 

Checking and corrective 
action 

4.5 

Checking and corrective 
action 



4.5.1 

Performance 
measurement and 
monitoring 

4.5.1 

Monitoring and 
measurement 

4.10 

4.11 

4.12 

Inspection and testing 

Control of inspection, 
measuring and test 
equipment 

Inspection and test status 

4.5.2 

Accidents, incidents, 
nonconformance and 
corrective and 
preventive action 

4.5.2 

Nonconformance and 
corrective and preventive 
action 

4.13 

4.14 

Control of nonconforming 
product 

Corrective and preventive 
action 

4.5.3 

Records and records 
management 

4.5.3 

Records 

4.16 

Control of quality records 

4.5.4 

Audit 

4.5.4 

Environmental 
management system audit 

4.17 

Internal quality audits 

4.6 

Management review 

4.6 

Management review 

4.1.3 

Management review 

Annex 

A 

Correspondence to ISO 
14001, ISO 9001 

Annex 

B 

Correspondence to ISO 

9001 




Bibliography 

Annex 

C 

Bibliography 

Annex 

A 

Bibliography 


(OHSAS 18002) 

Annex 

A 

Guidance on the use of 
the specification 
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